Password capture doorhanger loses focus on navigation while editing within it
Categories
(Toolkit :: Password Manager, defect, P3)
Tracking
()
People
(Reporter: dietrich, Unassigned)
References
Details
Mac OS 55.0a1 (2017-04-03) (64-bit) STR: 1. go to website with password form 2. enter username and password 3. firefox asks to save in the panel 4. focus username field in panel 5. web page form submission happens and new page loads Expected: focus remains in browser chrome panel where i'm editing Actual: panel remains open but focus is gone from panel - something in page was able to steal it from browser chrome.
Comment 1•7 years ago
|
||
Afaict this sounds a bit more dramatic than what's really happening. The popup notification indeed loses focus on navigation, which is annoying, but the focus remains on the Chrome window. Bug 1334496 might help here. I'll try that later. Dietrich, do you have a POC where it is actually possible to move focus into the content window while the doorhanger is open? I hacked this demo together in a couple of minutes, there might be more ways to steal focus: http://output.jsbin.com/guhiyoduli
Reporter | ||
Comment 2•7 years ago
|
||
> Bug 1334496 might help here. That bug seems to be focused (ha!) on the reverse situation: Making the popup steal focus from content in certain situations. > Dietrich, do you have a POC where it is actually possible to move focus into > the content window while the doorhanger is open? I hacked this demo together > in a couple of minutes, there might be more ways to steal focus: > http://output.jsbin.com/guhiyoduli No, I just noticed on Mozilla's business card service, which I hadn't logged into in years, so needed to update my password. Thanks for making that test case!
Comment 3•7 years ago
|
||
Alright, thanks for reporting!
I am trying http://output.jsbin.com/guhiyoduli, and I see the input elements flicker at the 2 second mark, but the doorhanger keeps focus. I was expecting the doorhanger to lose keyboard focus.
Updated•7 years ago
|
Oops, I just re-read this bug and my own comment 4 made little sense to me. I meant to say more clearly: I don't see the bug using the jsbin page from comment 1. My statement 'I was expecting the doorhanger to lose keyboard focus' === I was expecting to see the bug and did not. The flicker I mentioned is my visual cue that perhaps the dialog lost and regained focus, but is not a bug in itself.
Reporter | ||
Comment 8•5 years ago
|
||
Just an update that the bug still occurs on latest nightly.
Maybe worth noting:
It seems like I see this at times when I see the doorhanger pop up and there's a password but no username.
I go to enter a username, and while doing so, focus goes away as the page navigates.
Comment 9•5 years ago
|
||
Matt, is this something your team would be interested in? :)
Comment 10•5 years ago
|
||
Yes, but the doorhanger isn't a focus at the moment.
Updated•2 years ago
|
Reporter | ||
Comment 11•16 days ago
|
||
I see this pretty regularly now - perhaps because of recent changes in how the popup is activated?
I've noticed I see the popup (or at least the blue key icon?) much earlier in account creation flows - maybe triggering off email entry or something like that.
It seems like I see this at times when I see the doorhanger pop up and there's a password but no username.
I go to enter a username, and while doing so, focus goes away as the page navigates.
This is still when I see it most, and it just happened again on a page that was slow and had multiple load/redirects (appeared to, anyway).
Annoying, as I'm trying to type something and focus keeps going away whilst doing so.
Seems like an active+focused privileged input field should never be able to have focus stolen by something happening that was triggered by content.
In an attack scenario, a page could listen to key events and have a non-zero chance of capturing something you were typing into a privileged field.
Reporter | ||
Comment 12•16 days ago
|
||
In an attack scenario, a page could listen to key events and have a non-zero chance of capturing something you were typing into a privileged field.
Hm, if focus is going to other chrome-priv'd field as Johann said above, then no.
Description
•